Grafana高可用-LDAP
2023-12-22 15:47:16
一. grafana高可用
1. 迁移之前的 grafana
sqlitedump.sh
#!/bin/bash
DB=$1
TABLES=$(sqlite3 $DB .tables | sed -r 's/(\S+)\s+(\S)/\1\n\2/g' | grep -v migration_log)
for t in $TABLES; do
echo "TRUNCATE TABLE $t;"
done
for t in $TABLES; do
echo -e ".mode insert $t\nselect * from $t;"
done | sqlite3 $DB
将grafana.db 转为mysql的sql文件
- 找到 grafana 的 grafana.db,得到sql文件,source到mysql上即可
sh sqlitedump grafana.db >grafana.sql
2. 部署
- 将数据存储到
mysql
中
1) mysql
- grafna会自己初始化库,前提是需要创建出来
apiVersion: apps/v1
kind: PersistentVolumeClaim
metadata:
name: mysql
namespace: monitor
spec:
storageClassName: monitor-nfs-storage
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
#apiVersion: v1
#kind: ConfigMap
#metadata:
# name: my.cnf
# namespace: monitor
#data:
# my.cnf: |
# [mysqld]
# port=3306
#---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mysql
name: mysql
namespace: monitor
spec:
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:5.7
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: Man10f&3^H_98est$
#valueFrom:
# secretKeyRef:
# name: mysql-root-password
# key: password
ports:
- containerPort: 3306
volumeMounts:
- name: mysqlvolume
mountPath: /var/lib/mysql
# - name: mysql-conf
# mountPath: /etc/mysql/my.cnf
# subPath: my.cnf
volumes:
- name: mysqlvolume
persistentVolumeClaim:
claimName: mysql
#- name: mysql-conf
# configMap:
# name: my.cnf
---
apiVersion: v1
kind: Service
metadata:
labels:
app: mysql
name: mysql
namespace: monitor
spec:
selector:
app: mysql
type: ClusterIP
ports:
- port: 3306
protocol: TCP
targetPort: 3306
mysql -h mysql -p
create database grafana;
use grafana;
CREATE USER 'grafana'@'%' IDENTIFIED BY 'Man10f&3^H_98est$';
GRANT all on *.* TO 'grafana'@'%';
# 导入数据
source /grafana.sql
2). grafna
- 配置文件需要改为如下的,其他的配置自行添加上去,这里只是mysql的配置
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grafana
namespace: monitor
#annotations:
#volume.beta.kubernetes.io/storage-class: "nfs"
spec:
storageClassName: monitor-nfs-storage
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
kind: ConfigMap
apiVersion: v1
metadata:
name: grafana-config
namespace: monitor
data:
grafana.ini: |
[database]
type = mysql
host = mysql.prometheus.svc.cluster.local:3306
name = grafana
user = grafana
password = Man10f&3^H_98est$
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
[log]
level = debug
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana
namespace: monitor
spec:
rules:
- host: grafana-panel.yee.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grafana
port:
number: 3000
tls:
- hosts:
- grafana-panel.yee.com
secretName: 2022-yee.com
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
namespace: monitor
spec:
replicas: 2
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
securityContext:
runAsUser: 0
containers:
- name: grafana
image: harbor.yee.com:8443/library/grafana:8.5.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
name: grafana
env:
- name: GF_SECURITY_ADMIN_USER
value: admin
- name: GF_SECURITY_ADMIN_PASSWORD
value: Manifest%0304
readinessProbe:
failureThreshold: 10
httpGet:
path: /api/health
port: 3000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
livenessProbe:
failureThreshold: 3
httpGet:
path: /api/health
port: 3000
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 150m
memory: 512Mi
volumeMounts:
- mountPath: /var/lib/grafana
name: storage
- mountPath: /etc/grafana/grafana.ini
subPath: grafana.ini
name: config
volumes:
- name: storage
persistentVolumeClaim:
claimName: grafana
- name: config
configMap:
name: grafana-config
---
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: monitor
spec:
type: ClusterIP
ports:
- port: 3000
selector:
app: grafana
3. LDAP
grafana
使用加域,使用域账号登录,需要配置LDAP,LDAP是一种通讯协议,如同HTTP是一种协议一样的,- 域控的dn, 在 LDAP 目录中:
- DC (Domain Component)
- CN (Common Name)
- OU (Organizational Unit)
- An LDAP 目录类似于文件系统目录. 下列目录: DC=redmond,DC=wa,DC=microsoft,DC=com,如果我们类比文件系统的话,可被看作如下文件路径: Com\Microsoft\Wa\Redmond
- 例如:cn=test 可能代表一个用户名, ou=developer 代表一个active directory中的 组织单位。这句话的含义可能就是说明test这个对象处在domainname. com域的developer组织单元中
kind: ConfigMap
apiVersion: v1
metadata:
name: grafana-config
namespace: prometheus
data:
grafana.ini: |
[database]
type = mysql
host = mysql.prometheus.svc.cluster.local:3306
name = grafana
user = grafana
password = Man10f&3^H_98est$
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
[log]
level = info
---
kind: ConfigMap
apiVersion: v1
metadata:
name: grafana-ldap
namespace: prometheus
data:
ldap.toml: |
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "192.168.1.250"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
#bind_dn = "CN=xingguang,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
bind_dn = "ooo" # 根据自己的写
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'dfs@52%2(89!ykWc'
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
#search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(name=*))"
search_filter = "(sAMAccountName=%s)"
#search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(sAMAccountName={login}))"
# An array of base dns to search through
search_base_dns = ["OU=ooo,DC=sdrad,DC=com"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "displayName"
#surname = "sn"
#username = "username"
username = "sAMAccountName"
#member_of = "memberOf"
email = "mail"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
org_role = "Admin"
# To make user an instance admin (Grafana Admin) uncomment line below
grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
#org_id = 1
[[servers.group_mappings]]
group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
org_role = "Editor"
#org_id = 2
#
[[servers.group_mappings]]
## If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"
#org_id = 3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana
namespace: prometheus
spec:
rules:
- host: grafana-test.yee.net.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grafana
port:
number: 3000
tls:
- hosts:
- grafana-test.yee.net.cn
secretName: yee.net.cn
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
namespace: prometheus
spec:
replicas: 2
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
nodeSelector:
ldap: "true"
securityContext:
runAsUser: 0
containers:
- name: grafana
image: harbor.yee.net.cn/library/grafana:8.5.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
name: grafana
env:
- name: GF_SECURITY_ADMIN_USER
value: admin
- name: GF_SECURITY_ADMIN_PASSWORD
value: Manifest%0304OUR
readinessProbe:
failureThreshold: 10
httpGet:
path: /api/health
port: 3000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
livenessProbe:
failureThreshold: 3
httpGet:
path: /api/health
port: 3000
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 150m
memory: 512Mi
volumeMounts:
- mountPath: /var/lib/grafana
name: storage
- mountPath: /etc/grafana/grafana.ini
subPath: grafana.ini
name: config
- mountPath: /etc/grafana/ldap.toml
subPath: ldap.toml
name: ldap
volumes:
- name: storage
persistentVolumeClaim:
claimName: grafana
- name: config
configMap:
name: grafana-config
- name: ldap
configMap:
name: grafana-ldap
---
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: prometheus
spec:
type: ClusterIP
ports:
- port: 3000
selector:
app: grafana
同样 Deployment 需要加一些配置
volumeMounts:
- mountPath: /var/lib/grafana
name: storage
- mountPath: /etc/grafana/grafana.ini
subPath: grafana.ini
name: config
- mountPath: /etc/grafana/ldap.toml
subPath: ldap.toml
name: ldap
volumes:
- name: storage
persistentVolumeClaim:
claimName: grafana
- name: config
configMap:
name: grafana-config
- name: ldap
configMap:
name: grafana-ldap
文章来源:https://blog.csdn.net/moon_naxx/article/details/135153281
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!